Affiliation:
1. Saarland University ,
2. CISPA Helmholtz Center i.G. ,
3. Univ. Lille / Inria / IUF ,
Abstract
Abstract
To support users with disabilities, Android provides the accessibility services, which implement means of navigating through an app. According to the Android developer’s guide: “Accessibility services should only be used to assist users with disabilities in using Android devices and apps”. However, developers are free to use this service without any restrictions, giving them critical privileges such as monitoring user input or screen content to capture sensitive information. In this paper, we show that simply enabling the accessibility service leaves 72 % of the top finance a nd 80 % of the top social media apps vulnerable to eavesdropping attacks, leaking sensitive information such as logins and passwords. A combination of several tools and recommendations could mitigate the privacy risks: We introduce an analysis technique that detects most of these issues automatically, e.g. in an app store. We also found that these issues can be automatically fixed in almost all cases; our fixes have b een accepted by 70 % of the surveyed developers. Finally, we designed a notification mechanism which would warn users against possible misuses of the accessibility services; 50 % of users would follow these notifications.
Reference25 articles.
1. [1] Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. 2016. You Get Where You’re Looking for: The Impact of Information Sources on Code Security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, CA, USA, 289–305. https://doi.org/10.1109/SP.2016.2510.1109/SP.2016.25
2. [2] Efthimios Alepis and Constantinos Patsakis. 2017. Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era. In Security, Privacy, and Applied Cryptography Engineering, Sk Subidh Ali, Jean-Luc Danger, and Thomas Eisenbarth (Eds.). Springer International Publishing, Cham, 53–73.
3. [3] Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR ’16). 468–471. https://doi.org/10.1145/2901739.290350810.1145/2901739.2903508
4. [4] Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining Apps for Abnormal Usage of Sensitive Data. In 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1. IEEE Computer Society, Florence, Italy, 426–436. https://doi.org/10.1109/ICSE.2015.6110.1109/ICSE.2015.61
5. [5] Bram Bonné, Sai Teja Peddinti, Igor Bilogrevic, and Nina Taft. 2017. Exploring decision making with Android’s run-time permission dialogs using in-context surveys. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, 195–210.
Cited by
12 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Improving Privacy and Security Using Android Accessibility Framework;2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT);2024-02-09
2. DARPA: Combating Asymmetric Dark UI Patterns on Android with Run-time View Decorator;2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN);2023-06
3. Integrating human values in software development using a human values dashboard;Empirical Software Engineering;2023-04-18
4. A Systematic Survey on Android API Usage for Data-driven Analytics with Smartphones;ACM Computing Surveys;2022-12-03
5. Hidden in Plain Sight;Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security;2022-11-07